Lucene search
K

371 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-57167

PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence...

5.1CVSS0.00269EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42952

PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence...

5.1CVSS6.2AI score0.00269EPSS
Exploits0References3
OSV
OSV
added 2026/07/06 5:55 a.m.3 views

BIT-MASTODON-2026-48028 Mastodon: Removal of integrity-protected JSON entries from signed activities

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors...

6.5CVSS6AI score0.00124EPSS
Exploits0References2
Circl
Circl
added 2026/07/02 3:13 p.m.10 views

CVE-2026-6902

creationtimestamp| type| source ---|---|--- 2026-07-02 15:13:56+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mpod2scxtv72...

7.7CVSS5.8AI score0.00449EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 8:17 p.m.5 views

CVE-2026-58593

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedT...

8.7CVSS0.00191EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/07/01 7:27 p.m.34 views

CVE-2026-58593 NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedT...

8.7CVSS0.00191EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/07/01 7:27 p.m.6 views

CVE-2026-58593

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedT...

8.7CVSS6AI score0.00191EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/07/01 7:27 p.m.24 views

CVE-2026-58593

NodeBB is affected by CVE-2026-58593 where inbound ActivityPub objects are not correctly bound to the authenticated remote actor. The middleware verifies the HTTP-signature actor and origin of object.id but does not validate that attributedTo corresponds to the sender, treating attributedTo as a ...

8.7CVSS6AI score0.00191EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/07/01 7:27 p.m.7 views

CVE-2026-58593 NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedT...

8.7CVSS6AI score0.00191EPSS
Exploits1References3
EUVD
EUVD
added 2026/07/01 7:27 p.m.8 views

EUVD-2026-41131

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedT...

8.7CVSS6AI score0.00191EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.10 views

PT-2026-54922

Name of the Vulnerable Software and Affected Versions NodeBB affected versions not specified Description NodeBB fails to bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. While the inbound middleware verifies the HTTP-signature actor and the origin of the...

8.7CVSS5.9AI score0.00191EPSS
Exploits1References8
OSV
OSV
added 2026/06/30 11:39 p.m.3 views

BIT-GHOST-2026-53950 @tryghost/activitypub: XSS in Ghost's ActivityPub client

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0...

7.5CVSS5.8AI score0.00204EPSS
Exploits0References2
NVD
NVD
added 2026/06/24 8:16 p.m.6 views

CVE-2026-46348

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make...

8.7CVSS0.00337EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 8:16 p.m.6 views

CVE-2026-48028

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors...

6.5CVSS0.00124EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 7:17 p.m.8 views

CVE-2026-53950

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0...

7.5CVSS0.00204EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 6:4 p.m.31 views

CVE-2026-53950 @tryghost/activitypub: XSS in Ghost's ActivityPub client

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0...

7.5CVSS0.00204EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 6:4 p.m.11 views

CVE-2026-53950

CVE-2026-53950 affects @tryghost/activitypub (Ghost’s ActivityPub client). Before 3.1.0, the ActivityPub client was susceptible to JavaScript injection on posts shared from a maliciously customized ActivityPub server. The issue is fixed in 3.1.0. The associated metrics indicate a high-severity im...

7.5CVSS5.9AI score0.00204EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.30 views

PT-2026-52078

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.5.10 Mastodon versions prior to 4.4.17 Mastodon versions prior to 4.3.23 Description Mastodon is a free, open-source social network server based on ActivityPub. The normalization of incoming activities signed with...

5.3CVSS5.9AI score0.00162EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.8 views

PT-2026-52074

Name of the Vulnerable Software and Affected Versions @tryghost/activitypub versions prior to 3.1.0 Description The ActivityPub client in Ghost is susceptible to JavaScript injection. This occurs when the client processes posts shared by a maliciously customized ActivityPub server, allowing the...

7.5CVSS6.1AI score0.00204EPSS
Exploits0References5
NVD
NVD
added 2026/06/10 10:16 p.m.11 views

CVE-2026-42462

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...

7CVSS0.00171EPSS
Exploits0References2
Rows per page
Query Builder